With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability.

Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product.

VPN services let consumers gain extra privacy and security while using the Internet. A user establishes an encrypted connection with a VPN service, routing all Internet traffic to the VPN before sending it on to the rest of the Internet.

Some VPN services promise only protection from common hackers, which is useful for people seeking extra security while surfing the Web on public Wi-Fi networks. To hide one's traffic from Internet service providers or governments, people look to VPNs that promise not to keep any logs that might reveal what they use the Internet for.

CryptoSeal's description of its business VPN service says it's not designed to hide information from the government. "CryptoSeal Connect is not designed as a BitTorrent or other file-sharing VPN and is not designed to give you anonymity against the legal system," the company said. "We fully comply with all warrants and subpoenas and are located in the United States. We suggest using systems such as the Tor Project for anonymity requirements."

The possibility of handing cryptographic keys over to the government is a troubling one, though. "For anyone operating a VPN, mail, or other communications provider in the US, we believe it would be prudent to evaluate whether a pen register order could be used to compel you to divulge SSL keys protecting message contents, and if so, to take appropriate action," CryptoSeal wrote.

Lavabit case raises troubling legal possibilities

The company referred to the case of Lavabit, an e-mail service that shut down rather than comply with government orders to monitor user communications. A legal filing in that case raises a possibility that is troubling for CryptoSeal. Specifically, it describes "a Government theory that if a pen register order is made on a provider, and the provider's systems do not readily facilitate full monitoring of pen register information and delivery to the Government in realtime, the Government can compel production of cryptographic keys via a warrant to support a government-provided pen trap device," CryptoSeal wrote.

"Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner," CryptoSeal continued. "The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion and likely unconstitutional. But until this matter is settled, we are unable to proceed with our service."

CryptoSeal is investigating "alternative technical ways" to comply with US law without sacrificing user privacy, but in the meantime it is offering customers refunds as well as "one year subscriptions to a non-US VPN service of mutual selection" and "free service for one year if/when we relaunch a consumer privacy VPN service." CryptoSeal also encouraged people to donate to a Lavabit legal fund.

We've contacted CryptoSeal to ask why it's able to keep its business service open but haven't heard back yet. Selling to enterprises is more lucrative than selling to consumers, of course, providing one possible reason CryptoSeal chose this route. Another factor is that businesses seeking a VPN service may be more concerned about security from hackers than about hiding Internet activity from governments and Internet service providers.

A comment on Hacker News apparently posted by CryptoSeal founder and CEO Ryan Lackey points to the cost of legal services being one of the main factors.

"The financial issue was the potentially huge liability due to a legal action or battle, not the (small) costs of operating the service," Hacker News user "RDL" wrote. The service "was covering operating costs and some profit," but the risk of defending against a government order would have wiped that out.

"If we were the legally best VPN option, I would probably have pushed to keep it going anyway and just shut down when/if that happened, but as it is, non-US providers run by non-US people (there are several good ones) are an objectively better option, so in good conscience there's no reason to continue running a US privacy VPN service without technical controls to prevent being compelled to screw over a user," RDL wrote.

UPDATE: Lackey replied to Ars, explaining the different security requirements for the business service. "The users are businesses who usually want to monitor (automatically) their employees, for things like DLP [data loss prevention]," he wrote in an e-mail. "They also are all in regulated industries so far with logging and monitoring requirements in excess of what a court order might require, so the pen register 'loophole' isn't a concern for them at all."

He also noted that the biggest risk of continuing the service wasn't necessarily the cost of hiring lawyers, but that being in contempt of court could have landed him in jail.

Promoted Comments

So, if they were running the service under one understanding of the law, and now have reason to believe this understanding was incorrect, are they (potentially) violating evidence-destruction laws?

"We didn't think we were breaking the law, but now we think we might be, so we DBANned the server." Obviously it's a bit more complex than that, but...

To those who haven't been following the stories, the speculation on this is actually pretty straightforward:

Quite a few large companies have received requests from the NSA to insert backdoors, or to grant access to their private keys, to enable snooping on all users. (Companies like Apple and Microsoft have, I think, been victims for quite a long time) What's worse, notifying the public about such requests breaches a particular gag order that tends to be sent along with it. If Steve Ballmer were to announce what the government had asked of them, then he could quite literally be jailed.

The alternative, for smaller companies that exist to serve their customers, is to shut down; their goal is to provide a secure product, and with that government order, they can no longer do so; or notify anyone why. I can't remember specific names, but this has already happened with a few companies. I believe it's being referred to as the "Crypto Seppuku Oath" or similar.

168 Reader Comments

I wonder if the inability to unlock a single person's data was intentional as a way of increasing the perceived cost of monitoring any individual customer.

Feds: Put a tap on John Smith's communications. Here's the warrant.Provider: The only way to do that would be to give a key to ALL my users' data. You wouldn't want to violate the privacy of ALL those people just to get one little user, would you?Feds: Hand over the key.Provider: I just swallowed it.Feds: Get in the ambulance.

I agree. I see this strategy all the time because I have young children. It's essentially "I intentionally made it too costly to comply." Back when my son was 1 year old, we tried putting him in his crib for being a jerk. It's questionable whether a one year old is too young for punishment, but it was "time out" style, not exactly waterboarding. He responded by barfing all over the bed. I guess it worked, we didn't use that approach again.

I think CryptoSeal has a point, but you see it all the time all over the place. That's why environmental regulations finally stopped caring what the compliance cost was. Sometimes that's bad, but every time we came up with any rule, the immediate industry response was to say "This will cost $100 billion", then if we went ahead with it anyhow, it actually turned out to be more like $10B instead of 100.

You are operating under the assumption that this is a move based purely upon dickishness, and not considering that there's no technological difference between a court ordered wiretap and a cartel ordered wiretap. Consider the following article's arguments:https://freedom-to-tinker.com/blog/felt ... er-attack/

So please explain us by which legal means the government is able to read ALL your mail at ANY given time without due process, probable cause and a judge-approved warrant. You still haven't told us that. Kind of a big deal, really.

An email provider and a VPN provider shut down because they were unable to comply with a warrant aimed at specific users without hosing all of their other users.

This is like saying the only way the cops can search one hotel room is to turn all the hotel's interior walls to glass. Who's idea was that?

They could have just asked for the specific info they were looking for, instead of demanding unfettered around the clock access that is basically a permanent access to the customer's information.

So please explain us by which legal means the government is able to read ALL your mail at ANY given time without due process, probable cause and a judge-approved warrant. You still haven't told us that. Kind of a big deal, really.

An email provider and a VPN provider shut down because they were unable to comply with a warrant aimed at specific users without hosing all of their other users.

This is like saying the only way the cops can search one hotel room is to turn all the hotel's interior walls to glass. Who's idea was that?

They could have just asked for the specific info they were looking for, instead of demanding unfettered around the clock access that is basically a permanent access to the customer's information.

It's called a wiretap, and there is a reason it requires a warrant. Note that is for a customer's information. Not for all customers' information.

The odds of "undesirables" (who are under surveillance) signing up for the service are likely much greater when you allow anyone, as opposed to restricting it to known companies.

So company owners with a lot of money are lower risks than people who work for a weekly paycheck?

The company owner customers need protection against hackers, which CryptoSeal can generally still provide them, because I don't imagine the NSA is sending out that many subpoenas (or whatever they are called) to tap into the traffic of corporate entities.

The individual terrorist customers need protection against the NSA, which CryptoSeal can generally not still provide, as the NSA will force them to hand over the keys.

Simple solution: get rid of customers likely targeted by the NSA.

Yes it would be 'simple' to just get rid of the customers who are terrorists. Why didn't they just do that one 'simple' thing?

The Patriot act was passed essentially as a war-time measure and adds to the historical list of federal intrusions into both 1st and 4th amendment protections under the guise of improving national security. The fundamental problem in this particular case (much like the cold war...) is that there is no clear endpoint where we can declare victory and turn our digital swords back into plowshares.

Well, yes, the PATRIOT act has that issue. But since Acts of Congress aren't capable of overriding the Constitution, and the First Amendment hasn't been revoked, I still don't see how PATRIOT Act gags are constitutionally valid. There just doesn't seem to be any jurisprudence that supports this theory, yet the constitutional validity of the gag orders appears to be broadly accepted. I certainly haven't heard of any gag order recipients challenging the validity of the gag order on constitutional grounds, which seems odd.

After all, if the gag order isn't valid, what's to stop you from going to court to challenge it? The gag order itself? That seems like circular logic of the most insidious kind.

The Patriot act was passed essentially as a war-time measure and adds to the historical list of federal intrusions into both 1st and 4th amendment protections under the guise of improving national security. The fundamental problem in this particular case (much like the cold war...) is that there is no clear endpoint where we can declare victory and turn our digital swords back into plowshares.

Well, yes, the PATRIOT act has that issue. But since Acts of Congress aren't capable of overriding the Constitution, and the First Amendment hasn't been revoked, I still don't see how PATRIOT Act gags are constitutionally valid. There just doesn't seem to be any jurisprudence that supports this theory, yet the constitutional validity of the gag orders appears to be broadly accepted. I certainly haven't heard of any gag order recipients challenging the validity of the gag order on constitutional grounds, which seems odd.

After all, if the gag order isn't valid, what's to stop you from going to court to challenge it? The gag order itself? That seems like circular logic of the most insidious kind.

The gag order itself, yes. The only court you can appeal to is the FISCR, a secret court with judges appointed solely by the Chief Justice of the SCOTUS, and they pretty much always agree with the FISC. You can't take it to a district court and attempt to climb the ladder to the SCOTUS because telling a non FISA judge about the gag order is a violation of the gag order.

Could not some of these problems be reduced if providers permitted users to create their own key pairs? But I have yet to meet the provider who offers this option.

Take, for example, proxy services. Those need my public key to send data to me data, and visa versa. But they shouldn't need my private key. In fact, having my private key creates the risk that NSA will demand the key and use it to decrypt captures of traffic that was sent to me.

Admittedly, this only solves half of the problem. But it would be a start.

Recently NSA took another aggressive step and asked top Tech companies to keep their mouth shut about NSA spying. But i think court should take right action to ensure the privacy opf a single person. This is no excuse to violate privacy at the cost of so called National; Security. Read some other important details about the follwing update. Source: http://goo.gl/F0x4Oi

The odds of "undesirables" (who are under surveillance) signing up for the service are likely much greater when you allow anyone, as opposed to restricting it to known companies.

So company owners with a lot of money are lower risks than people who work for a weekly paycheck?

The company owner customers need protection against hackers, which CryptoSeal can generally still provide them, because I don't imagine the NSA is sending out that many subpoenas (or whatever they are called) to tap into the traffic of corporate entities.

The individual terrorist customers need protection against the NSA, which CryptoSeal can generally not still provide, as the NSA will force them to hand over the keys.

Simple solution: get rid of customers likely targeted by the NSA.

Yes it would be 'simple' to just get rid of the customers who are terrorists. Why didn't they just do that one 'simple' thing?

That was the McCarthy solution to communism in Hollywood. If there's communists everywhere, just stop hiring communists!